CN101888329A - Address resolution protocol (ARP) message processing method, device and access equipment - Google Patents
Address resolution protocol (ARP) message processing method, device and access equipment Download PDFInfo
- Publication number
- CN101888329A CN101888329A CN2010101591759A CN201010159175A CN101888329A CN 101888329 A CN101888329 A CN 101888329A CN 2010101591759 A CN2010101591759 A CN 2010101591759A CN 201010159175 A CN201010159175 A CN 201010159175A CN 101888329 A CN101888329 A CN 101888329A
- Authority
- CN
- China
- Prior art keywords
- arp
- message
- address
- list item
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 230000003068 static effect Effects 0.000 claims abstract description 70
- 238000001514 detection method Methods 0.000 claims abstract description 52
- 238000001914 filtration Methods 0.000 claims abstract description 15
- 238000000034 method Methods 0.000 claims abstract description 11
- 238000004458 analytical method Methods 0.000 claims description 44
- 238000012545 processing Methods 0.000 claims description 24
- 239000000284 extract Substances 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000000605 extraction Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 13
- 238000013461 design Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 241000209202 Bromus secalinus Species 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides address resolution protocol (ARP) message processing method, device and access equipment. The method comprises the following steps of: detecting whether an ARP message conforms to the preset anti-cheating feature entry of the access equipment when the access equipment receives the ARP message transmitted by a terminal through privileged ports, wherein the anti-cheating feature entry comprises the filtration of ARP messages of which the transmit leg IP address is the IP address of any legal terminal of the access equipment and ARP messages of which the transmit leg MAC address is the MAC address of any legal terminal, and the privileged ports comprise ports which do not set up static ARP detection functions; and if the ARP message conforms to the preset anti-cheating feature entry, filtering the ARP message. The invention effectively prevents an illegal terminal from carrying out ARP cheat by personating a legal terminal through privileged ports. Besides, the invention can be realized without the participation of gateway equipment and a user's host, thereby ensuring simple network configuration and improving the flexibility, the stability and the safety of network allocation.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of processing method, device and access device of address analysis protocol message.
Background technology
In the current network technology, terminal equipment is to distinguish with Internet protocol (Internet Protocol is called for short IP) address in network.Therefore in communication, the sending side terminal equipment of initiating communication is when other-end equipment sends message, need obtain medium access control (the Media AccessControl of target terminal, be called for short MAC) address, to finish sending the encapsulation of message, this just needs the IP address of realization equipment and the conversion between MAC Address.At present, this address transition is achieved by address resolution protocol (Address Resolution Protocol is called for short ARP) usually, and the ARP agreement is a MAC Address with the IP address transition of target terminal equipment, has guaranteed carrying out smoothly of communication.
Because the ARP agreement is based upon on the basis of trusting all nodes in the local area network (LAN), promptly move the terminal equipment of ARP agreement and can not check oneself whether to send out the ARP request message, also no matter whether the arp reply message that receives is legal, as long as receiving destination-mac address is the ARP message of self MAC address, terminal equipment all can receive it and buffer memory, and this provides possibility for the ARP spoofing attack undoubtedly.In ARP spoofing attack behavior, the ARP attacker can pretend to be legal hosts to send the ARP message mala fide, IP or MAC Address that transmit leg IP in the ARP message that sends or MAC Address are forged into legal hosts, to cheat other main frames, reach the purpose of stealing other main frame significant datas even causing network congestion in the local area network (LAN), thereby how to take precautions against the major issue that to consider when the ARP deception is the local area network (LAN) deployment effectively.
The method of strick precaution ARP spoofing attack commonly used comprises in the prior art: access device is by resolving the authentication information of authentication client terminal, obtain and write down the IP-MAC address corresponding informance of this client terminal, and in the message characteristic database of access device and this client terminal corresponding port, the Static ARP that this IP-MAC address corresponding informance is set to dynamically to rewrite detects list item.When this port receives any ARP message, simultaneously transmit leg IP address in this ARP message and transmit leg MAC Address are detected, have only when the both meets Static ARP that this port is provided with and detects list item, this ARP message could be passed through, otherwise this ARP message will be filtered and abandon.
By this detection mode, though can defend the ARP of local area network (LAN) inside to attack to a certain extent, but there is certain defective equally in this method: for Static ARP detects list item, it can only act on the designated port that access device has been opened the ARP measuring ability, therefore if will carry out the ARP defence of the overall situation to access device, then need all ports are all opened this measuring ability, this will limit the flexibility of network design to a great extent.Simultaneously in actual deployment, owing to need data channel safe in utilization some superuser message of letting pass under some port, these ports will can not carry out the configuration of any network security capability, can not open the ARP measuring ability yet.Thereby for these escape way ports, if main frame under this port is owing to reasons such as ARP poisoning or malicious attack are initiated the ARP deception, because can't carrying out ARP, this port detects, these main frames then can successfully be cheated gateway or other validated user main frames that is linked in same access device, thereby cause existing very big potential safety hazard.
Summary of the invention
The invention provides a kind of processing method, device and access device of address analysis protocol message, in order to the ARP spoofing attack that prevents that port that illegitimate client utilizes access device that the Static ARP measuring ability is not set from pretending to be validated user to carry out.
For achieving the above object, the invention provides a kind of processing method of address analysis protocol message, comprising:
When access device receives an ARP message of terminal transmission by franchise port, detect a described ARP message and whether meet the default anti-deception feature list item of described access device, described anti-deception feature list item comprises and filters the ARP message of IP address that transmit leg IP address is arbitrary legal terminal of described access device, and to filter the transmit leg MAC Address be the ARP message of the MAC Address of described arbitrary legal terminal, and described franchise port comprises the port that the Static ARP measuring ability is not set;
If detecting a described ARP message meets described default anti-deception feature list item, then filter a described ARP message.
For achieving the above object, the present invention also provides a kind of processing unit of address analysis protocol message, comprising:
The first message receiver module is used for an ARP message that sends by franchise port receiving terminal;
The first list item detection module, be used to detect a described ARP message and whether meet the default anti-deception feature list item of access device, described anti-deception feature list item comprises and filters the ARP message of IP address that transmit leg IP address is arbitrary legal terminal of described access device, and to filter the transmit leg MAC Address be the ARP message of the MAC Address of described arbitrary legal terminal, and described franchise port comprises the port that the Static ARP measuring ability is not set;
The first packet filtering module is used for then filtering a described ARP message if the described first list item detection module detects a described ARP message and meets described default anti-deception feature list item.
For achieving the above object, the present invention also provides a kind of access device, comprises access module, wherein, also comprises: the processing unit of above-mentioned address analysis protocol message, the processing unit of described address analysis protocol message is connected with described access module.
The processing method of address analysis protocol message provided by the invention, device and access device, by anti-deception feature list item is set in the message characteristic database of access device, being used to indicate the transmit leg IP address that receives under the franchise port to this access device is the ARP deception message of pretending to be the IP address of legal terminal, and the transmit leg MAC Address is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, thereby make and work as the illegal terminal desire by the franchise port of Static ARP measuring ability is not set, when the legal terminal of this access device or gateway are sent ARP deception message, this privilege port can filter out this ARP deception message by default anti-deception feature list item, taken precautions against the ARP deceptive practices that illegal terminal pretends to be legal terminal that other-end or gateway device are carried out by franchise port effectively; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access device, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
Description of drawings
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the processing method embodiment one of address analysis protocol message of the present invention;
Fig. 2 is the flow chart of the processing method embodiment two of address analysis protocol message of the present invention;
Fig. 3 is the structural representation of the processing unit embodiment one of address analysis protocol message of the present invention;
Fig. 4 is the structural representation of the processing unit embodiment two of address analysis protocol message of the present invention;
Fig. 5 is the structural representation of access device embodiment of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the flow chart of the processing method embodiment one of address analysis protocol message of the present invention, and as shown in Figure 1, present embodiment specifically comprises the steps:
In the access device that communication network is used always, in for example common access switch or couple in router,, can comprise two types port usually for the demand of actual deployment.Wherein a generic port has been opened the Static ARP list item measuring ability of message characteristic database, when this port receives arbitrary ARP message, all can detect list item according to the Static ARP in the message characteristic database detects this ARP message, and let pass or filter this ARP message according to the result who detects, the ARP spoofing attack behavior of sending with the terminal of taking precautions against connection this port under.Another kind of port is not then for opening the franchise port of ARP list item measuring ability, in this generic port, owing to there being some special reason, Static ARP is not set detects list item, therefore in this generic port, the terminal that inserts need not the detection through the Static ARP list item, and promptly by this generic port, the terminal of the authentication of process certificate server can not be connected in the access device yet.
For the franchise port that this class is not provided with ARP list item measuring ability, privilege terminal under this privilege port or other-end just are easy to utilize port to need not to carry out the feature that ARP detects, and pretend to be the IP address of legal terminal under other ports or MAC Address to send ARP deception message.Because not carrying out the Static ARP list item to the ARP message that receives, this port do not detect, therefore, even the transmit leg IP address of its ARP that receives deception message and transmit leg MAC Address are not IP address and MAC Address for the correspondence of legal terminal, this port this ARP message of also can letting pass, thus can cause ARP to attack the legal terminal that the quilt under other ports is pretended to be.
In order to defend this ARP spoofing attack phenomenon, in the present embodiment,, in the message characteristic database, be provided with and be used to take precautions against the anti-deception feature list item that the terminal that connects under this port is sent the ARP spoofing attack at this class privilege port of access device.Particularly, bright at this anti-deception feature list item middle finger: the source IP address that franchise port is received is the ARP message of IP address of arbitrary legal terminal of access device, and source MAC is that the ARP message of MAC Address of arbitrary legal terminal of access device filters.
Thus, when access device by franchise port, when receiving the ARP message that the terminal that is connected with this privilege port sends, will be by the anti-deception feature list item of presetting in the message characteristic database, whether detect this ARP message is that an ARP cheats message.Particularly, in the present embodiment, the ARP message that claims access device to receive by franchise port is an ARP message.The IP address of access device by being provided with in the transmit leg IP address in the ARP message relatively and the anti-deception feature list item, and the MAC Address that compares the transmit leg MAC Address in the ARP message and prevent being provided with in the deception feature list item, detect an ARP message and whether meet this anti-feature list item of cheating.Specifically refer to by detecting by anti-deception feature list item: whether the transmit leg IP address of carrying in the ARP message that franchise port receives is this access device IP address of the legal terminal by authentication, and whether the transmit leg MAC Address of carrying in the ARP message that receives of franchise port is this access device MAC Address by the legal terminal that authenticates.
If by above-mentioned detection, access device obtains the testing result that an ARP message meets default anti-deception feature list item, because in franchise port, terminal need not just can be connected to access device through the authentication of certificate server, thereby all terminals that franchise port connects down all do not belong to the legal terminal that this access device has authenticated, the IP address or the MAC Address characteristic of correspondence list item that also can not have accordingly, the terminal of any and this privilege port in the message characteristic database of this access device.
Therefore, if the ARP message that should the privilege port receive this moment meets the default anti-deception feature list item of access device, promptly the transmit leg IP address of an ARP message or transmit leg MAC Address are the IP address or the MAC Address of arbitrary legal terminal of access device, this shows: franchise port receives an ARP message that terminal sends at this moment and pretends to be the IP address or the MAC Address of these other legal terminal of access device for this terminal and send, and be not this terminal its own IP address or MAC Address, this belongs to typical A RP spoofing attack behavior.In the case, the ARP message that access device receives is identified as ARP deception message, and this ARP deception message is filtered, and attacks by the ARP that franchise port carries out to defend this terminal.
Thus, although in the message characteristic database of access device,, franchise port do not detect list item for being provided with corresponding Static ARP, but by the anti-deception feature list item that is provided with, access device still can detect and filter out the ARP deception message that the malicious attack square tube is crossed franchise port, pretended to be legal terminal to send in time, thereby has taken precautions against the ARP deceptive practices that illegal terminal pretends to be legal terminal to carry out by franchise port effectively.And because in this generic port, need at first prevent the detection of deception list item for the ARP message that receives, even therefore opened safe data channel in this generic port, certain class ARP message to appointment can pass through in unconditional clearance, because before carrying out safe data channel clearance ARP message, all need the ARP message is prevented the detection of deception list item, even therefore for the port of having opened safe data channel, by anti-deception list item is set, can prevent the ARP spoofing attack that illegal terminal utilizes this generic port to pretend to be legal terminal to carry out equally.
Further, present embodiment only is in the message characteristic database the improvement of access device, for franchise port increases the feature list item is set, and need not accessing terminal or gateway device makes any change, its network configuration and execution mode are simple, also corresponding flexibility and the stability that has promoted network design.
The processing method of the address analysis protocol message of present embodiment, by anti-deception feature list item is set in the message characteristic database of access device, being used to indicate the transmit leg IP address that receives under the franchise port to this access device is the ARP deception message of pretending to be the IP address of legal terminal, and the transmit leg MAC Address is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, thereby make and work as the illegal terminal desire by the franchise port of Static ARP measuring ability is not set, when pretending to be legal terminal that the other-end of this access device or gateway are sent ARP deception message, this privilege port can filter out this ARP deception message by default anti-deception feature list item, has taken precautions against the ARP deceptive practices that illegal terminal pretends to be legal terminal to carry out by franchise port effectively; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access device, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
Fig. 2 is the flow chart of the processing method embodiment two of address analysis protocol message of the present invention, is that access switch is an example with the access device in the present embodiment, and the processing method of ARP message of the present invention is described.As shown in Figure 2, present embodiment specifically comprises the steps:
Step 200 is obtained the IP address and the MAC Address of corresponding legal terminal;
In the present embodiment, at access switch by the feature list item in the message characteristic database, the malicious attack square tube is crossed before ARP spoofing attack behavior that franchise port sends is on the defensive, for corresponding anti-deception feature list item is set in the message characteristic database of this access switch, access switch will obtain the IP address and the MAC Address of the legal terminal correspondence that comprises.Particularly, in the present embodiment, access switch can obtain the IP address and the mac address information of legal terminal by following dual mode at least:
First kind of mode is for carrying out in the verification process of certificate server in the authentication terminal, access switch is intercepted and captured and is resolved by the authentication information that the authentication terminal is sent to certificate server, extract the IP address and the MAC Address of the authentication terminal of wherein carrying, after the authentication of this authentication terminal was passed through, IP address of terminal that this extracts and MAC Address just were the IP address and the MAC Address of legal terminal correspondence;
The second way is provided with protocol security characteristic (Dynamic Host Configuration Protocol-Snooping for DynamicHost is set in access switch, be called for short DHCP-Snooping) function, by this DHCP-Snooping function, access switch can intercept the DHCP message of the legal terminal transmission of access, and according to this DHCP message is resolved, access switch can extract the IP address and the MAC Address of the legal terminal that comprises.
More than enumerate two kinds and obtained the IP address of legal terminal and the mode of MAC Address; but need be appreciated that; in actual applications; access switch can also obtain IP address and the MAC Address of passing through the legal terminal of authentication in this switch by other multiple modes; for example obtain etc. by the mode of order line setting, other substitute modes that can be suitable for are equally within the scope that the present invention protected.
Step 201 according to the IP address and the MAC Address of the legal terminal that gets access to, is provided with corresponding anti-deception feature list item for franchise port in property data base;
Access switch gets access to after the IP address and MAC Address of arbitrary legal terminal by above-mentioned arbitrary mode; for this legal terminal is carried out the ARP attack protection; to protect this legal terminal not to be subjected to the ARP spoofing attack that illegal terminal sends by franchise port; will be according to the IP address and the MAC Address that get access to; in the message characteristic database, increase corresponding anti-deception feature list item is set; specifically refer to an access switch in the message characteristic database, for the franchise port that suffers the ARP spoofing attack easily is provided with anti-deception feature list item.Should anti-deception feature list item be used in reference to and show that access switch abandons the transmit leg IP address that the receives ARP message for the IP address of this legal terminal, and the transmit leg MAC Address that the receives ARP message for the MAC Address of this legal terminal is filtered.
Particularly, IP address and MAC Address at the legal terminal that acquires, access switch can be in the message characteristic database, for franchise port is provided with first anti-deception feature list item corresponding with the IP address and the second anti-deception feature list item corresponding with MAC Address respectively.Wherein the first anti-deception feature list item is used in reference to and shows that access switch is that the ARP message of the IP address of legal terminal filters to the transmit leg IP address that receives, and the second anti-deception feature list item is used in reference to and shows that access switch is that the ARP message of the MAC Address of legal terminal filters to the transmit leg MAC Address that receives.
Step 202 according to the IP address and the MAC Address of the legal terminal that gets access to, is provided with corresponding anti-deception feature list item for non-franchise port in property data base;
Step 203, in non-franchise port, the priority level that anti-deception feature list item is set is lower than Static ARP and detects list item;
Further, at access switch is when franchise port is provided with this feature list item, at having opened the Static ARP measuring ability in this access switch, promptly need the ARP message that receives is carried out the non-franchise port that Static ARP detects, access switch simultaneously can also be in the message characteristic database, for these non-franchise ports are provided with corresponding anti-deception feature list item, and the priority level of this newly-installed anti-deception feature list item is set to be lower than the priority level that Static ARP detects list item.
The purpose of She Zhiing is like this: because in access switch; for the non-franchise port of having opened the Static ARP measuring ability; the terminal of its connection is if need by before this generic port transmission data message; authentication that need be by certificate server is to be linked in this access switch, and therefore this non-franchise port can correspondingly connect a plurality of legal terminal by authenticating down usually.Therefore, if when this non-franchise port receives the ARP message, just directly adopt the anti-deception feature list item of above-mentioned setting that this ARP message is detected, the legal ARP message that will cause legal terminal to send is prevented imposing a condition of deception feature list item owing to meeting, and can't pass through and be filtered.
Therefore, for avoiding taking place above-mentioned phenomenon, in the present embodiment, access switch is in the message characteristic database, when increasing anti-deception feature list item for non-franchise port, also in non-franchise port, priority level that this anti-deception feature list item is set is lower than Static ARP and detects list item, promptly make legal terminal when sending legal ARP message by this non-franchise port, non-franchise port at first will carry out the detection that Static ARP detects list item to this ARP message.According to testing result, the Static ARP that legal ARP message will meet non-franchise port correspondence detects list item, and finally passed through by clearance, thereby avoided legal ARP message when directly preventing the detection of deception feature list item, be identified as ARP deception message and the phenomenon that is filtered.
Step 204 receives the ARP message that terminal sends by franchise port;
Step 205 detects an ARP message and whether meets anti-deception feature list item, if execution in step 206 then, execution in step 207 then if not;
Step 206 is filtered an ARP message;
Step 207 is let pass by an ARP message;
Access switch be provided with the IP address of each legal terminal and the corresponding anti-deception feature list item of MAC Address after, when this access switch receives an ARP message of corresponding terminal transmission by franchise port, because franchise port is not provided with the Static ARP measuring ability, therefore access switch will directly be prevented the detection of deception feature list item to an ARP message, refer to specifically whether the transmit leg IP address of detecting an ARP message meets the anti-deception of first in message characteristic database feature list item, and whether the transmit leg MAC Address of detection ARP message meets the anti-deception of second in message characteristic database feature list item.
Particularly, access switch will extract the transmit leg IP address and the transmit leg MAC Address of wherein carrying respectively from an ARP message, and according to the transmit leg IP address that extracts, whether inquiry wherein comprises the first anti-deception feature list item corresponding with this transmit leg IP address in property data base, and according to the transmit leg MAC Address that extracts, whether inquiry comprises the second anti-deception feature list item corresponding with this transmit leg MAC Address.No matter an ARP message is to meet the first anti-deception feature list item or the second anti-deception feature list item, all show the ARP deception message that an ARP message sends for the illegal terminal under this privilege port, difference only is the address style difference that it pretends to be legal terminal, so access switch all filters an ARP message.
Further, filtering out an ARP message, the one ARP message can't be sent on the basis of purpose terminal, access switch can also be added up an ARP message, promptly according to the result who an ARP message that receives prevent deception list item detection, add up corresponding port and issue the living legal terminal of pretending to be and carry out the state of ARP spoofing attack behavior.Even after this, access switch can also be with the ARP deception message that detects to the ARP spoofing attack, and the analytical equipment that sends to other is to carry out statistics and analysis.
And if through detecting, access switch is found an ARP message and is not met the arbitrary anti-deception feature list item that is provided with in the anti-deception property data base, this shows that an ARP message is not the ARP deception message that the terminal under this port pretends to be the legal terminal of this access switch to send, so access switch is let pass by an ARP message, makes it can be sent to the purpose terminal.
Step 208 receives the 2nd ARP message that terminal sends by non-franchise port;
Step 209 detects the Static ARP whether the 2nd ARP message meet this non-franchise port correspondence and detects list item, and if execution in step 210 then if not is execution in step 212 then;
If access switch is not by being provided with the non-franchise port that the Static ARP list item detects, when receiving the 2nd ARP message of corresponding terminal transmission, according to each corresponding with this non-franchise port in the message characteristic database feature detection list item and the level of priority of each feature detection list item, the Static ARP whether access switch will be at first meets this non-franchise port setting to the 2nd ARP message detects list item and detects.
Particularly, for a certain non-franchise port, can many Static ARP detection list items be set correspondence in the message characteristic database, it is all corresponding by the legal terminal of authentication to one this non-franchise port under that every Static ARP detects list item, and every Static ARP detects list item and all indicates: will receive the transmit leg IP address of ARP message and IP address and MAC Address clearance that the transmit leg MAC Address corresponds to this legal terminal and pass through.
Therefore when access switch receives the 2nd ARP message by this non-franchise port, at first the 2nd ARP message is carried out the detection that Static ARP detects list item, the ARP message that can send terminal unverified under this port perhaps carries out the ARP deception message that the terminal of malice ARP spoofing attack sends and tackles.Further, before the detection of the anti-deception feature list item that carries out next step, detect by carrying out the Static ARP list item, the legal ARP message that the legal terminal of can letting pass sends is identified as that ARP cheats message and the phenomenon that abandons with the ARP message of avoiding occurring with legal in carrying out follow-up detection.
After the 2nd ARP message that receives being carried out the detection of Static ARP list item, if the 2nd ARP message meets the Static ARP detection list item that this non-franchise port is provided with, show that the terminal that sends the 2nd ARP message is for passing through the legal terminal of authentication under this port, and the ARP message that it sends also is legal ARP message, therefore access switch is back to execution in step 206, the clearance of the 2nd ARP message is passed through, made it can be sent to the purpose terminal.
Step 210 detects the 2nd ARP message and whether meets default anti-deception feature list item, adds up with the ARP spoofing attack behavior that access device is received, and execution in step 211;
Step 211 is filtered the 2nd ARP message;
Step 212 is let pass by the 2nd ARP message;
Otherwise and, if access switch detects by the 2nd ARP message that receives being carried out the Static ARP list item, obtain the result that the 2nd ARP message does not meet the Static ARP detection list item of this non-franchise port setting, this show the terminal that sends the 2nd ARP message under this port unverified not terminal or send the malicious attack terminal, the ARP attack message that the 2nd ARP message probably sends for this terminal should be filtered.
At this moment, access switch can Direct Filtration fall the 2nd ARP message, but in the present embodiment, setting according to feature detection list item in the message characteristic database, access switch also will detect the 2nd ARP message further and whether meet above-mentioned default anti-deception feature list item, whether the transmit leg IP address of promptly detecting the 2nd ARP message meets the first default anti-deception feature list item, and whether the transmit leg MAC Address of the 2nd ARP message meets the second default anti-deception feature list item.Meet anti-deception feature list item and whether detect the 2nd ARP message no matter, do not meet Static ARP according to the 2nd ARP message and detect the list item this point, access switch can be judged the ARP deception message that the 2nd ARP message sends for terminal under this port, the 2nd ARP message can be filtered, to defend the ARP spoofing attack behavior that terminal produces under this port.
And in the present embodiment, access switch does not meet after Static ARP detects list item detecting the 2nd ARP message, the purpose of preventing the detection of deception feature list item more further is: because if meet the ARP deception message that the ARP message of anti-deception feature list item must pretend to be the address of legal terminal to send for the malice terminal, therefore according to this testing result, access switch can be added up the state of this class ARP spoofing attack that terminal is sent under each port, for example send the number of times of ARP spoofing attack, frequency etc., thereby on this basis, access switch can be analyzed the ARP attack state of each port, to formulate corresponding attack protection strategy.Particularly, access switch is according to the testing result of the ARP message that receives being carried out the first anti-deception feature list item, and according to the testing result of the ARP message being carried out the second anti-deception feature list item, can count the state of the ARP spoofing attack behavior of the IP address of pretending to be legal terminal under the corresponding port carrying out respectively, and the situation of pretending to be the ARP spoofing attack behavior that the MAC Address of legal terminal carries out.Thereby according to this statistics, access switch can be to this port, even the performance state of this access switch integral body is adjusted and managed.
Particularly, if access switch is by further detecting, detect the 2nd ARP message and do not meet Static ARP detection list item, do not meet default anti-deception feature list item also, this shows: though send the terminal of the 2nd ARP message is not the access switch legal terminal (do not meet Static ARP and detect list item) by authenticating, for example it may or be a unverified terminal of access switch for a malicious attack terminal, but in this ARP spoofing attack behavior, this terminal does not pretend to be the IP address of other legal terminal or MAC Address to send ARP deception message (not meeting anti-deception feature list item) also.Thereby access switch need not the 2nd ARP message is added up accordingly after it is filtered.
Otherwise, if access switch is by further detecting, do not meet Static ARP detection list item though detect the 2nd ARP message, also further meet default anti-deception feature list item, this shows: the terminal that sends the 2nd ARP message not only is not the access switch legal terminal (do not meet Static ARP and detect list item) by authenticating, but also in this ARP spoofing attack behavior, pretended to be the IP address of other legal terminal or MAC Address that other legal terminal have been sent ARP deception message (meeting anti-deception feature list item).Thereby access switch can also carry out corresponding record to this ARP spoofing attack behavior this time, so that follow-up Commitment, Accounting and Management of Unit Supply after it is filtered.
After having carried out detection of Static ARP list item and the detection of anti-deception list item, access switch can filter out under the non-franchise port pretends to be legal terminal, the ARP deception message that other-end or gateway are carried out, even thereby opened safe data channel in this port, certain class ARP message to appointment can pass through in unconditional clearance, because before carrying out safe data channel clearance ARP message, all need the ARP message that receives is carried out the detection of Static ARP list item and anti-deception list item, even therefore for the port of having opened safe data channel, no matter this port is to be provided with the non-franchise port that Static ARP detects list item, or the franchise port that Static ARP detects list item is not set, by anti-deception list item is set, can prevent the ARP spoofing attack that illegal terminal utilizes this generic port to pretend to be legal terminal to carry out equally.
The processing method of the address analysis protocol message of present embodiment, by being when validated user is provided with Static ARP and detects list item in the message characteristic database of corresponding port at access device, for this validated user increases the feature list item that two priority are lower than Static ARP detection list item is set: one is used to indicate the transmit leg MAC Address that overall all of the port is sent down is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, another is used to indicate the transmit leg IP address that overall all of the port is sent down is to pretend to be the ARP deception message of the IP address of legal terminal to filter, thereby prevented that effectively the disabled user from pretending to be legal terminal by the franchise port that access device is not provided with the ARP measuring ability, the ARP spoofing attack that other-end or gateway device are carried out; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access switch, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 3 is the structural representation of the processing unit embodiment one of address analysis protocol message of the present invention, as shown in Figure 3, the processing unit of the address analysis protocol message of present embodiment comprises: the first message receiver module 11, the first list item detection module 12 and the first packet filtering module 13.
Wherein, the first message receiver module 11 is used for the ARP message by franchise port receiving terminal transmission; The first list item detection module 12 is used to detect the ARP message that the first message receiver module 11 receives and whether meets the default anti-deception feature list item of access device, should anti-deception feature list item comprise and filter the ARP message of IP address that transmit leg IP address is arbitrary legal terminal of access device, and filtering the ARP message of MAC Address that the transmit leg MAC Address is arbitrary legal terminal of access device, this privilege port comprises the port that the Static ARP measuring ability is not set; The first packet filtering module 13 is used for if the first list item detection module 12 detects an ARP message when meeting default anti-deception feature list item, filters an ARP message.
Particularly, the concrete course of work that all modules in the present embodiment are related can not repeat them here with reference to the related content of the related related embodiment exposure of the processing method of above-mentioned address analysis protocol message.
The processing unit of the address analysis protocol message of present embodiment, by anti-deception feature list item is set in the message characteristic database of access device, being used to indicate the transmit leg IP address that receives under the franchise port to this access device is the ARP deception message of pretending to be the IP address of legal terminal, and the transmit leg MAC Address is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, thereby make and work as the illegal terminal desire by the franchise port of Static ARP measuring ability is not set, when pretending to be legal terminal that the other-end of this access device or gateway device are sent ARP deception message, this privilege port can filter out this ARP deception message by default anti-deception feature list item, has taken precautions against the ARP deceptive practices that illegal terminal pretends to be legal terminal to carry out by franchise port effectively; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access device, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
Fig. 4 is the structural representation of the processing unit embodiment two of address analysis protocol message of the present invention, as shown in Figure 4, on the basis of the processing unit embodiment one of above-mentioned address analysis protocol message, the processing unit of the address analysis protocol message of present embodiment can also comprise: the second message receiver module 14, the second list item detection module 15, the 3rd list item detection module 16 and the second packet filtering module 17.
Wherein, the second message receiver module 14 is used for the 2nd ARP message by non-franchise port receiving terminal transmission; The second list item detection module 15 is used to detect the Static ARP detection list item whether the 2nd ARP message meets non-franchise port correspondence, this Static ARP detects list item and comprises that clearance transmit leg IP address and transmit leg MAC Address correspond to the IP address of arbitrary legal terminal under the non-franchise port and the ARP message of MAC Address, but not franchise port comprises the port that is provided with the Static ARP measuring ability; The 3rd list item detection module 16 is used for if the second list item detection module 15 detects the 2nd ARP message when not meeting Static ARP and detecting list item, detect the 2nd ARP message further and whether meet default anti-deception feature list item, add up with the ARP spoofing attack behavior that described access device is received; And the second packet filtering module 17 is used for after 16 pairs the 2nd ARP messages of the 3rd list item detection module detect, and filters out the 2nd ARP message.
Further, the processing unit of the address analysis protocol message of present embodiment can also comprise: the address extraction module 18 and first list item are provided with module 19, module 110 is set second list item and priority is provided with module 111.
Wherein, address extraction module 18 was used for before the first message receiver module 11 receives an ARP message by franchise port, from the authentication information that the legal terminal of access device sends, perhaps by DHCP security feature technology from the DHCP message that the legal terminal that intercepts sends, extract the IP address and the MAC Address of the legal terminal correspondence of access device; First list item is provided with module 19 and is used for the IP address and the MAC Address that extract according to address extraction module 18, in the message characteristic database, for franchise port is provided with corresponding anti-deception feature list item.
Second list item is provided with module 110 and is used for after address extraction module 18 extracts the IP address and MAC Address of legal terminal correspondence, according to the IP address and the MAC Address that extract, in the message characteristic database, for non-franchise port is provided with corresponding anti-deception feature list item; Priority is provided with module 111 and then is used at non-franchise port, and the priority level that this anti-deception feature list item is set is lower than Static ARP and detects list item.
Further, in the present embodiment, the processing unit of address analysis protocol message can also comprise message clearance module 112, is used for if the first list item detection module 12 detects an ARP message when not meeting default anti-deception feature list item the ARP message of letting pass.
Particularly, the related concrete course of work of above-mentioned all modules in the present embodiment can not repeat them here with reference to the related content of the related related embodiment exposure of the processing method of above-mentioned address analysis protocol message equally.
The processing unit of the address analysis protocol message of present embodiment, by being when validated user is provided with Static ARP and detects list item in the message characteristic database of corresponding port at access device, for this validated user increases the feature list item that two priority are lower than Static ARP detection list item is set: one is used to indicate the transmit leg MAC Address that overall all of the port is sent down is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, another is used to indicate the transmit leg IP address that overall all of the port is sent down is to pretend to be the ARP deception message of the IP address of legal terminal to filter, thereby prevented that effectively illegal terminal is not provided with the franchise port of ARP measuring ability by switch, the ARP spoofing attack of pretending to be legal terminal that other-end under the access device or gateway are carried out; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access switch, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
Fig. 5 is the structural representation of access device embodiment of the present invention, and as shown in Figure 5, the access device of present embodiment comprises: the processing unit 2 of access module 1 and the address analysis protocol message that is connected with access module 1.Particularly, the access device of present embodiment can be routing devices such as access switch or couple in router.Wherein, access module 1 is used for the client terminal that inserts is authenticated, so that client terminal is accessed in the server, and all modules that the processing unit 2 of address analysis protocol message is comprised, and the related concrete course of work of each module, then the related content that can disclose with reference to the related related embodiment of the processing unit of the processing method of above-mentioned address analysis protocol message and address analysis protocol message does not repeat them here.
The access device of present embodiment, by anti-deception feature list item is set in the message characteristic database of access device, being used to indicate the transmit leg IP address that receives under the franchise port to this access device is the ARP deception message of pretending to be the IP address of legal terminal, and the transmit leg MAC Address is to pretend to be the ARP deception message of the MAC Address of legal terminal to filter, thereby make and work as the illegal terminal desire by the franchise port of Static ARP measuring ability is not set, when pretending to be legal terminal that the other-end of this access device or gateway device are sent ARP deception message, this privilege port can filter out this ARP deception message by default anti-deception feature list item, has taken precautions against the ARP deceptive practices that illegal terminal pretends to be legal terminal to carry out by franchise port effectively; Further, realization of the present invention need not the participation of gateway device and subscriber's main station, does not increase the burden of access device, and network configuration is simple, has greatly promoted flexibility, stability and the fail safe of network design.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (11)
1. the processing method of an address analysis protocol message is characterized in that, comprising:
When access device receives an ARP message of terminal transmission by franchise port, detect a described ARP message and whether meet the default anti-deception feature list item of described access device, described anti-deception feature list item comprises and filters the ARP message of IP address that transmit leg IP address is arbitrary legal terminal of described access device, and to filter the transmit leg MAC Address be the ARP message of the MAC Address of described arbitrary legal terminal, and described franchise port comprises the port that the Static ARP measuring ability is not set;
If detecting a described ARP message meets described default anti-deception feature list item, then filter a described ARP message.
2. the processing method of address analysis protocol message according to claim 1 is characterized in that, described method also comprises:
When described access device receives the 2nd ARP message of terminal transmission by non-franchise port, detect described the 2nd ARP message and whether meet the Static ARP detection list item corresponding with described non-franchise port, described Static ARP detects list item and comprises that clearance transmit leg IP address and transmit leg MAC Address correspond to the IP address of arbitrary legal terminal under the described non-franchise port and the ARP message of MAC Address, and described non-franchise port comprises the port that is provided with the Static ARP measuring ability;
If described the 2nd ARP message does not meet described Static ARP and detects list item, then detect described the 2nd ARP message and whether meet described default anti-deception feature list item, add up with the ARP spoofing attack behavior that described access device is received, and filter described the 2nd ARP message.
3. the processing method of address analysis protocol message according to claim 1 and 2 is characterized in that, described access device receives before the ARP message of terminal transmission by franchise port, and described method also comprises:
From the authentication information that the legal terminal of described access device sends, perhaps by DHCP security feature technology from the DHCP message that the described legal terminal that intercepts sends, extract the IP address and the MAC Address of the legal terminal correspondence of described access device;
According to the described IP address and the MAC Address that extract, in the message characteristic database of described access device, for described franchise port is provided with corresponding described anti-deception feature list item.
4. the processing method of address analysis protocol message according to claim 3 is characterized in that, after the IP address and MAC Address of the legal terminal correspondence of the described access device of described extraction, described method also comprises:
According to the described IP address and the MAC Address that extract, in described message characteristic database, for described non-franchise port is provided with corresponding described anti-deception feature list item;
In described non-franchise port, the priority level that described anti-deception feature list item is set is lower than described Static ARP and detects list item.
5. the processing method of address analysis protocol message according to claim 1 is characterized in that, described method also comprises:
Do not meet described default anti-deception feature list item, the described ARP message of then letting pass if detect a described ARP message.
6. the processing unit of an address analysis protocol message is characterized in that, comprising:
The first message receiver module is used for an ARP message that sends by franchise port receiving terminal;
The first list item detection module, be used to detect a described ARP message and whether meet the default anti-deception feature list item of access device, described anti-deception feature list item comprises and filters the ARP message of IP address that transmit leg IP address is arbitrary legal terminal of described access device, and to filter the transmit leg MAC Address be the ARP message of the MAC Address of described arbitrary legal terminal, and described franchise port comprises the port that the Static ARP measuring ability is not set;
The first packet filtering module is used for then filtering a described ARP message if the described first list item detection module detects a described ARP message and meets described default anti-deception feature list item.
7. the processing unit of address analysis protocol message according to claim 6 is characterized in that, described device also comprises:
The second message receiver module is used for the 2nd ARP message that sends by non-franchise port receiving terminal;
The second list item detection module, be used to detect described the 2nd ARP message and whether meet the Static ARP detection list item corresponding with described non-franchise port, described Static ARP detects list item and comprises that clearance transmit leg IP address and transmit leg MAC Address correspond to the IP address of arbitrary legal terminal under the described non-franchise port and the ARP message of MAC Address, and described non-franchise port comprises the port that is provided with the Static ARP measuring ability;
The 3rd list item detection module, be used for not meeting described Static ARP detection list item if the described second list item detection module detects described the 2nd ARP message, then detect described the 2nd ARP message and whether meet described default anti-deception feature list item, add up with the ARP spoofing attack behavior that described access device is received;
The second packet filtering module is used for filtering described the 2nd ARP message after described the 3rd list item detection module detects described the 2nd ARP message.
8. according to the processing unit of claim 6 or 7 described address analysis protocol messages, it is characterized in that described device also comprises:
The address extraction module, be used for before the described first message receiver module receives a described ARP message by described franchise port, from the authentication information that the legal terminal of described access device sends, perhaps by DHCP security feature technology from the DHCP message that the described legal terminal that intercepts sends, extract the IP address and the MAC Address of the legal terminal correspondence of described access device;
First list item is provided with module, is used for according to the described IP address and the MAC Address that extract, in the message characteristic database, for described franchise port is provided with corresponding described anti-deception feature list item.
9. the processing unit of address analysis protocol message according to claim 8 is characterized in that, described device also comprises:
Second list item is provided with module, be used for after described address extraction module is extracted the IP address and MAC Address of legal terminal correspondence of described access device, according to the described IP address and the MAC Address that extract, in described message characteristic database, for described non-franchise port is provided with corresponding described anti-deception feature list item;
Priority is provided with module, is used at described non-franchise port, and the priority level that described anti-deception feature list item is set is lower than described Static ARP and detects list item.
10. the processing unit of address analysis protocol message according to claim 6 is characterized in that, described device also comprises:
Message clearance module is used for if the described first list item detection module detects a described ARP message when not meeting described default anti-deception feature list item the described ARP message of letting pass.
11. an access device comprises access module, it is characterized in that, also comprises: as the processing unit of the arbitrary described address analysis protocol message of claim 6~10, the processing unit of described address analysis protocol message is connected with described access module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101591759A CN101888329B (en) | 2010-04-28 | 2010-04-28 | Address resolution protocol (ARP) message processing method, device and access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101591759A CN101888329B (en) | 2010-04-28 | 2010-04-28 | Address resolution protocol (ARP) message processing method, device and access equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101888329A true CN101888329A (en) | 2010-11-17 |
| CN101888329B CN101888329B (en) | 2013-04-17 |
Family
ID=43074062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101591759A Expired - Fee Related CN101888329B (en) | 2010-04-28 | 2010-04-28 | Address resolution protocol (ARP) message processing method, device and access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101888329B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427460A (en) * | 2011-12-29 | 2012-04-25 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN103001968A (en) * | 2012-12-14 | 2013-03-27 | 温州电力局 | Network monitoring system and method |
| CN103873434A (en) * | 2012-12-10 | 2014-06-18 | 台众计算机股份有限公司 | Method for identifying event of website |
| CN105635067A (en) * | 2014-11-04 | 2016-06-01 | 华为技术有限公司 | Packet transmission method and apparatus |
| CN106453308A (en) * | 2016-10-10 | 2017-02-22 | 合肥红珊瑚软件服务有限公司 | Method for preventing ARP cheating |
| CN106488458A (en) * | 2016-12-21 | 2017-03-08 | 锐捷网络股份有限公司 | The method and device of detection gateway A RP deception |
| CN107786679A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | Ensure the method and device of ARP message safeties |
| CN109981603A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | ARP Attack monitoring system and method |
| CN113381936A (en) * | 2020-03-09 | 2021-09-10 | 阿里巴巴集团控股有限公司 | Network information processing method and device and network equipment |
| CN114629689A (en) * | 2022-02-24 | 2022-06-14 | 广东电网有限责任公司 | IP address fraud identification method and device, computer equipment and storage medium |
| CN115065494A (en) * | 2022-04-02 | 2022-09-16 | 北京北信源软件股份有限公司 | Method, device, equipment and medium for establishing network connection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1233135C (en) * | 2002-06-22 | 2005-12-21 | 华为技术有限公司 | Method for preventing IP address deceit in dynamic address distribution |
| CN101394360A (en) * | 2008-11-10 | 2009-03-25 | 北京星网锐捷网络技术有限公司 | Processing method, access device and communication system for address resolution protocol |
| WO2010036054A2 (en) * | 2008-09-25 | 2010-04-01 | 주식회사 안철수연구소 | Method for detecting an arp attack, and system using same |
-
2010
- 2010-04-28 CN CN2010101591759A patent/CN101888329B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1233135C (en) * | 2002-06-22 | 2005-12-21 | 华为技术有限公司 | Method for preventing IP address deceit in dynamic address distribution |
| WO2010036054A2 (en) * | 2008-09-25 | 2010-04-01 | 주식회사 안철수연구소 | Method for detecting an arp attack, and system using same |
| CN101394360A (en) * | 2008-11-10 | 2009-03-25 | 北京星网锐捷网络技术有限公司 | Processing method, access device and communication system for address resolution protocol |
Non-Patent Citations (1)
| Title |
|---|
| 《网络安全》 20070731 徐涛 基于Ethernet的ARP欺骗原理及防御 22-24 1-11 , * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427460B (en) * | 2011-12-29 | 2015-03-11 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN102427460A (en) * | 2011-12-29 | 2012-04-25 | 深信服网络科技(深圳)有限公司 | Multistage detection and defense method to ARP spoof |
| CN103873434A (en) * | 2012-12-10 | 2014-06-18 | 台众计算机股份有限公司 | Method for identifying event of website |
| CN103001968A (en) * | 2012-12-14 | 2013-03-27 | 温州电力局 | Network monitoring system and method |
| US10791127B2 (en) | 2014-11-04 | 2020-09-29 | Huawei Technologies Co., Ltd. | Packet transmission method and apparatus |
| CN105635067A (en) * | 2014-11-04 | 2016-06-01 | 华为技术有限公司 | Packet transmission method and apparatus |
| CN105635067B (en) * | 2014-11-04 | 2019-11-15 | 华为技术有限公司 | File transmitting method and device |
| CN107786679A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | Ensure the method and device of ARP message safeties |
| CN106453308A (en) * | 2016-10-10 | 2017-02-22 | 合肥红珊瑚软件服务有限公司 | Method for preventing ARP cheating |
| CN106488458A (en) * | 2016-12-21 | 2017-03-08 | 锐捷网络股份有限公司 | The method and device of detection gateway A RP deception |
| CN109981603A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | ARP Attack monitoring system and method |
| CN113381936A (en) * | 2020-03-09 | 2021-09-10 | 阿里巴巴集团控股有限公司 | Network information processing method and device and network equipment |
| CN113381936B (en) * | 2020-03-09 | 2023-08-15 | 阿里巴巴集团控股有限公司 | Network information processing method and device and network equipment |
| CN114629689A (en) * | 2022-02-24 | 2022-06-14 | 广东电网有限责任公司 | IP address fraud identification method and device, computer equipment and storage medium |
| CN114629689B (en) * | 2022-02-24 | 2023-10-03 | 广东电网有限责任公司 | IP address fraud recognition method, device, computer equipment and storage medium |
| CN115065494A (en) * | 2022-04-02 | 2022-09-16 | 北京北信源软件股份有限公司 | Method, device, equipment and medium for establishing network connection |
| CN115065494B (en) * | 2022-04-02 | 2023-11-14 | 北京北信源软件股份有限公司 | Method, device, equipment and medium for establishing network connection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101888329B (en) | 2013-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101888329B (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
| US10193924B2 (en) | Network intrusion diversion using a software defined network | |
| CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
| CN111131310B (en) | Access control method, device, system, computer device and storage medium | |
| CN102438028B (en) | A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system | |
| US8966608B2 (en) | Preventing spoofing | |
| WO2021233373A1 (en) | Network security protection method and apparatus, storage medium and electronic device | |
| Hijazi et al. | Address resolution protocol spoofing attacks and security approaches: A survey | |
| CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| US20140020067A1 (en) | Apparatus and method for controlling traffic based on captcha | |
| CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| AU2008256210A1 (en) | Network and computer firewall protection with dynamic address isolation to a device | |
| CN101415012A (en) | Method and system for defending address analysis protocol message aggression | |
| CN107707435B (en) | Message processing method and device | |
| KR100996288B1 (en) | A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses | |
| CN101651696A (en) | Method and device for preventing neighbor discovery (ND) attack | |
| CN110830447A (en) | SPA single packet authorization method and device | |
| CN105610851A (en) | Method and system for defending distributed denial of service (DDoS) attack | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN115378625B (en) | Cross-network information security interaction method and system | |
| CN101567883B (en) | Realization method for preventing MAC address forgery | |
| Hijazi et al. | A new detection and prevention system for ARP attacks using static entry | |
| KR100723864B1 (en) | Method for blocking network attacks using the information in packet and apparatus thereof | |
| CN101577645B (en) | Method and device for detecting counterfeit network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130417 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |